Web Application Security Guide/Prefetching and Spiders

Prefetching and Spiders

GET requests are not supposed/expected to trigger actions/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.

To prevent this

Use POST requests instead of GETs for anything that triggers an action

Rationale

GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of “delete” buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.